Google Testing Password-Free Log-ins to Online Services

Google's goal is to curb phishing and other attacks that involve the use of passwords to gain access to accounts and exploit them.

Google is testing a way to let people log in to its online services without a password. A small number of its users have been invited to participate in tests involving the use of their smartphones to log in to Gmail and other Google services.
" 'Pizza,' 'password' and '123456'—your days are numbered', " Google said in a statement. "We've invited a small group of users to help test a new way to sign in to their Google accounts, no password required."
A Reddit user who claimed to have received an invite said users who register for the option will receive an alert on their phones when they enter their usernames to access a Google service. The alert prompts the user to confirm whether he or she is attempting to log in to the service. Once confirmed, the user gains access to the account.
Users will still be able to access their accounts using a regular typed password if they choose to do so. The password-free sign-in feature will become available to users of both Android and iOS devices.

Google's goal in introducing the new feature appears to be to curb phishing and other attacks that involve the use of passwords to gain access to accounts and to exploit them.

Security researchers have long lamented the tendency among people to use weak, easily guessed passwords to protect account access and have urged organizations and individuals to implement strong two-factor authentication to their accounts.
Despite considerable awareness of the issue, studies have repeatedly shown that a vast majority of online users continue to stick with passwords that are simple to guess.
A study by SplashData earlier this year showed that the most commonly used password for 2014 was "123456," followed by "password." Other common passwords that SplashData gleaned from a collection of more than 3.3 million stolen user names and passwords included "qwerty," "baseball" and "dragon." The tendency by many online users to use the same password across multiple accounts has only exacerbated the problem.
The results of a Google study, released earlier this year, showed that even the security questions that people use to recover forgotten passwords are easy to guess. Users trying to keep their password recovery answers simple often tended to use common responses. Google, for instance, discovered that with a single guess an attacker would have a nearly 20 percent chance of guessing that an average English-speaking user's favorite food is pizza. Similarly, with 10 guesses, an attacker would have a 21 percent chance of correctly guessing a Spanish-speaking user's father's middle name.
Conversely, users who chose hard answers for their password recovery security questions often had a hard time remembering it. Because of such issues, some security researchers have been advocating the use of other mechanisms, particularly smartphones to authenticate users to their accounts.
Google is the second major email provider to consider a password-free log-in process. Yahoo recently introduced a new Yahoo Account Key feature that lets mobile users sign in to its services without a password.